PFI Knowledge Solutions

Liferay Digital Experience Platform (DXP)

Liferay is an industry leading open source Portal and Digital Experience Platform used by public service organisations and industry, globally. PFIKS provides this service to enable you to jump start your Digital Transformation programme with a solid, high performing and low-cost portal platform


  • Sophisticated, but easy to use Content Management System
  • Graphical workflow designer to build processes and workflow
  • Highly granular permissioning of content through roles and groups
  • Ability to create, tag and categorise content immediately
  • Personalisation through audience targeting and segmentation
  • Form builder to design and publish complex multipage forms
  • Embedded search by Elasticsearch for all content including external sources
  • Inline image editor and asset management capability
  • OOTB Mobile friendly with native app builder tool kit
  • •Simple connections to authentication system CAS, LDAP, NTLM, OpenSSO


  • Ready to use immediately to start configuring out your services
  • Offering return-on-investment within the shortest timeframe
  • Low total cost of ownership for world leading Portal platform
  • Control your costs by through right sizing your service
  • Open standards platform eases integrations, development, migrations
  • Adaptability and flexibility in managing or extending features
  • Scalable system to meet high levels of demand as required
  • Benefit from the flexibility and cost of our cloud infrastructure
  • Retain control of your core applications, application hosting environment
  • Backed by the UK’s leading Liferay partners


£13000 per unit per year

  • Education pricing available

Service documents

G-Cloud 10


PFI Knowledge Solutions

Jenny Dias

0207 016 8843

Service scope

Service scope
Service constraints None
System requirements
  • Computer with a browser
  • Internet connection

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Priority 1 Incidents response within 1 hour, P2 , P3 and P4 within 2 hours during business hours of 9-5pm weekdays exclude UK public holidays
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels For priority 1 incidents the response will be within 1 hour. For P2 , P3 and P4 within 2 hours during business hours of 9-5pm weekdays excluding UK public holidays.
The support desk is administered by a dedicated Technical Support Administrator.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide a 1 day workshop, either on site or via webconferencing to provide basic training and administration of the service.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction By request, all relational data and file content is provided in encrypted zip format.
End-of-contract process Customer is contacted 3 months prior to end of contract to renew. They will have 2 months to renew the contract.

Using the service

Using the service
Web browser interface Yes
Using the web interface Use all the features of the service. Deploy customisations.
Web interface accessibility standard WCAG 2.0 AA or EN 301 549
Web interface accessibility testing WAVE accessibility testing on all user interface components.
What users can and can't do using the API Create/update/delete users/sites/content.
API automation tools
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
API documentation Yes
API documentation formats HTML
Command line interface No


Scaling available No
Independence of resources Services are monitored continously, with alerting to the support team. Components are sized with adequate peak headroom.
Usage notifications Yes
Usage reporting Email


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Liferay, Amazon Web Services

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach All data encrypted at rest using AES-256.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up Server volumes and all client data
Backup controls Default backup schedule can be adjusted on request
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network Other
Other protection within supplier network A VPC is an isolated portion of the AWS cloud within which customers can deploy Amazon EC2 instances into subnets that segment the VPC’s IP address range (as designated by the customer) and isolate Amazon EC2 instances in one subnet from another. Amazon EC2 instances within a VPC are only accessible by a customer via an IPsec Virtual Private Network (VPN) connection that is established to the VPC.

Availability and resilience

Availability and resilience
Guaranteed availability Uptime target of 99.9%, excluding any planned maintenance.
Approach to resilience Redundancy across all application tiers, spread across multiple physical data centers.
Outage reporting Service outages are reported on the PFIKS Support platform where customers are added to the ticket and emailed the details.

Identity and authentication

Identity and authentication
User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
Access restrictions in management interfaces and support channels Users login with a username and password or sign in via federated authentication method, such as Google, Linkedin, or third-party OpenID Connect providers.
Access restriction testing frequency At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Devices users manage the service through
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 UKAS by Bureau Veritas
ISO/IEC 27001 accreditation date 03/02/2017
What the ISO/IEC 27001 doesn’t cover No Limitations
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes PFIKS are ISO27001 certified and adhere to policies and procedures in accordance with the ISMS standard.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change Control Policy and Procedure – Specifies the scope and process for change control of our organisation’s information processing facilities for hardware, software and devices.
Vulnerability management type Supplier-defined controls
Vulnerability management approach All components within the stack (infrastructure and software) are continuously tested for vulnerabilities. PFIKS are alerted of any detected vulnerabilities by third party suppliers, and take action on a timescale commensurate with the severity.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Services are monitored continuously, with alerting to the support team. The support team will assess the potential compromise and undertake corrective action according to the severity threat level.
Incident management type Supplier-defined controls
Incident management approach Incidents are managed through our support desk. The CSO and ISO ensure appropriate action is taken in accordance with ISO27001 Incident management policy.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider Citrix XenServer
How shared infrastructure is kept separate Clients run in their own virtual private cloud (VPC), which isolates them from all other services.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £13000 per unit per year
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑